summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xmeta-integrity/recipes-core/initrdscripts/files/init.ima13
-rw-r--r--meta-signing-key/recipes-support/key-store/key-store_0.1.bb13
2 files changed, 24 insertions, 2 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima
index f11ff13..c663817 100755
--- a/meta-integrity/recipes-core/initrdscripts/files/init.ima
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -97,6 +97,19 @@ fi
97 97
98mount --move ${ROOT_DIR}/proc /proc 98mount --move ${ROOT_DIR}/proc /proc
99 99
100# If we have a secondary trusted keyring, here is the opportunity to load
101# additional trusted keys from the real rootfs.
102for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do
103 [ ! -s "$cert" ] && continue
104 name=`basename $cert`
105
106 if ! keyctl padd asymmetric "$name" %:.secondary_trusted_keys < $cert > ${ROOT_DIR}/dev/null; then
107 print_critical "Unable to load the secondary certificate $cert"
108 else
109 print_verbose "The secondary certificate $cert has been loaded"
110 fi
111done
112
100# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was 113# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
101# automatically loaded by kernel already. Here is the opportunity to load 114# automatically loaded by kernel already. Here is the opportunity to load
102# a custom IMA certificate from the real rootfs. 115# a custom IMA certificate from the real rootfs.
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 66691cc..30485a7 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -31,6 +31,7 @@ SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
31 31
32# For ${PN}-secondary-trusted-cert 32# For ${PN}-secondary-trusted-cert
33SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" 33SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
34SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.der"
34 35
35# For ${PN}-modsign-cert 36# For ${PN}-modsign-cert
36MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" 37MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -99,6 +100,8 @@ do_install() {
99 key_dir="${@uks_secondary_trusted_keys_dir(d)}" 100 key_dir="${@uks_secondary_trusted_keys_dir(d)}"
100 install -m 0644 "$key_dir/secondary_trusted_key.crt" \ 101 install -m 0644 "$key_dir/secondary_trusted_key.crt" \
101 "${D}${SECONDARY_TRUSTED_CERT}" 102 "${D}${SECONDARY_TRUSTED_CERT}"
103 openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \
104 -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}"
102 105
103 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then 106 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
104 install -m 0400 "$key_dir/secondary_trusted_key.key" \ 107 install -m 0400 "$key_dir/secondary_trusted_key.key" \
@@ -167,8 +170,14 @@ PACKAGES_DYNAMIC = "\
167FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" 170FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
168CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" 171CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
169 172
170FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" 173FILES_${PN}-secondary-trusted-cert = "\
171CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" 174 ${SECONDARY_TRUSTED_CERT} \
175 ${SECONDARY_TRUSTED_DER_ENC_CERT} \
176 "
177CONFFILES_${PN}-secondary-trusted-cert = "\
178 ${SECONDARY_TRUSTED_CERT} \
179 ${SECONDARY_TRUSTED_DER_ENC_CERT} \
180 "
172 181
173FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" 182FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
174CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" 183CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-06 05:24:13 +0000